MAPLESEC panel: Incident response teams should expect the unexpected

Cyber incident response (IR) teams have to be prepared for the worst. But most think the worst is data loss or blackmail.

The worst, Canadian cybersecurity strategist Brennan Schmidt says, was having to be part of the incident response team after the 2018 Saskatchewan bus crash that killed 16 people, many of whom were players, coaches and staff of the Humbolt Broncos hockey team.

As he recounted on a panel discussion on incident response during Thursday’s MapleSec Satellite online series, there were a number of things that were unanticipated.

One was the need to get control of the hockey club’s website, email and social media accounts. However, the person responsible for managing the credentials had been killed in the crash. Lawyers had to be involved to solve that problem.

Another was the inability to access the DNS server to the club’s website so it could be used to post information to families and supporters. “We had to buy a domain name folks could get access to,” Schmidt said – but it was hard to find a similar name to the hockey club because, for some reason, they were rapidly being bought by others. Eventually that problem was solved by finding a name that hadn’t been scooped up.

The recollection was one of several panel participants offered to show the importance of incident response teams not only practicing their playbooks, but being imaginative in what’s put in them.

“Expect the unexpected,” said Cat Coode, founder of the Canadian-based Binary Tattoo data privacy consultancy. She pointed to the oft-cited hacking of a casino through an internet-connected thermometer in the building’s aquarium.

For inspiration – and fun – she said, watch 10-year-old movies for ways characters supposedly hacked into IT systems that could be possible now if a company has legacy technology. “Today we protect for the highest-level technology, but if you have something in your building that is even five years old it’s hackable.” Then think about how to mitigate that risk.

Try gamification – a long word for playing games — to get IT staff to think outside the box, she said. “I like to put the onus back on people to come up with ideas.” For example, pretend a password has been hidden by the game leader on a company laptop. The challenge is for staff to think of how to get it.

Staff will come up with ideas leaders haven’t thought of, Coode said.

Similarly, Schmidt said, IR teams should think about recovery strategies for lost access to email, server or Twitter accounts. Games like this will bolster your capabilities, he said.

Asked who should be on the IR team, Coode suggested that in addition to IT members there should be representation from the executive, legal, HR, PR/communications, customer service and privacy departments. Should the organization have cyber insurance coverage, a person from the insurer will be on the team. They may provide legal counsel, she added, or pay for the firm to choose a counsel.

In addition, have contact information for your building’s internet and electric providers.

RELATED CONTENT: More on how to create an IR plan

When developing the IR action plan, start by creating a risk register, said Schmidt: enumerate what is the most important data to your organization in terms of risk or impact should it be lost. “Those that you should focus on should bubble up to the top of the list,” he said. That, then, creates the priorities to focus on in terms of protection and incident response.

That will also lead to consideration of what technologies are needed to prevent data access to the prime data, he said.

As for creating an incident response plan, Coode noted that many IT companies and governments have free online frameworks or playbooks. These should be customized for each organization, she stressed.

“Having a (IR) policy in your back pocket is all well and good, but it’s no help if the organization isn’t actually following what it says,” she said. “To me, the big thing is they’ve been customized and made to work for your company.”


As for who should lead the IR team, Coode said “the best person is the most organized, because what you really want during an incident is communications flow. You need someone who can track what is happening, communicate with the IT team, the execs, PR” to make sure what needs to be done gets done. It could be the head of IT, she said, or a project management leader. And there must be a backup leader in case something unforeseen happens, she said.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now